Privacy Policy

1. Privacy Policy

1.1 ROSE Foundation (“ROSE”) (“we”, “us” or “our”) is a charitable foundation set up with the purpose of making cervical screening more acceptable and accessible to women (“Program ROSE”). ROSE understands the importance of protecting the privacy and confidentiality of all your personal and health information. We are committed to safeguarding your privacy and ensuring that your personal data is protected. We therefore take steps to make sure that our policies and practices in relation to personal data comply with the requirements of the Personal Data Protection Act 2010 (the “Act”) and the relevant laws. For the purpose of this privacy policy (“Privacy Policy”), the terms “Personal Data” and “processing” shall have the same meaning as prescribed in the Act.

1.2 This Privacy Policy serves to inform you that your Personal Data is being collected and processed by us or on our behalf when you use our screening services, laboratories facilities or any of our other services (“Services”) or your healthcare service provider or healthcare professional or employer orders a screening for you or you visiting any of our websites including program or project microsites (“Site”). By virtue of your continuous use of the Services and Site, we have deemed by your action that you have agreed to the processing of your Personal Data pursuant to the terms of this Privacy Policy. If you do not agree with any term of this Privacy Policy, please take active steps to indicate to us and discontinue use of any of our Services and Site.

1.3 Our policies and practices with respect to the collection, use, retention, disclosure, transfer, security and access of Personal Data will be in accordance with the laws of Malaysia and are as set out in this Privacy Policy. Please note that this Privacy Policy may be amended from time to time and the updated version posted on the Site. By continuing to engage with us, accessing our Site and/or providing us with your services/products, after the issuance of such amendment notice, you will be considered as having agreed to this Privacy Policy (as amended and updated).
2. How do We Collect Personal Data?

2.1 ROSE collects a range of personal and health information about individuals (“you”, “your”). ROSE may collect this information from you, or from another person dealing with you, such as your healthcare service provider, healthcare professional, or employer, or from third-party technology platforms.

2.2 We also collect information when you register and complete health assessment forms or other documents relating to our Services (both online and hardcopy); or interact with us directly/indirectly or by visiting the Site, we will process your personally identifiable information (i.e., information that is about you and identifies you, including your health information) from you. Our third-party technology service provider may use cookies or similar technologies to collect data about you when you register or sign-up on those platforms. For your information, Cookies are small computer files that can be stored on your computer for the purposes of obtaining configuration information and analysing your browsing habits. They can save you from registering again when re-visiting a web site and are commonly used to track your preferences in relation to the subject matter of the website. You may refuse to accept Cookies (by modifying the relevant Internet options or browsing preferences of your computer system), but if you do so you may not be able to utilise or activate certain available functions on our Site.

2.3 ROSE provides health screening programs and initiatives under Program ROSE to many women, including you. ROSE may at those times collect, use and store your relevant personal and health information (if you were a participant) so that we may provide you with Services and perform the health screenings and related activities. To illustrate: at the time of the health screening, ROSE processes information relating to your cervical health to ensure that we provide you with the optimum service. Once all the HPV DNA tests are performed by ROSE for you, those test results together with the health information which you have provided forms part of your Personal Data which you have with ROSE. We process your health information to provide you with the Services as well as to assist you with your healthcare follow up. You may refuse to consent or not allow us to process this sensitive personal data but if you do so, it may be difficult for us to provide you with Services and you may not be provided access to any healthcare follow up, which is regrettable and not ROSE’s intention.

3. Types of Personal Data Collected

3.1 It is necessary for you to provide us with your Personal Data which are marked or specified as compulsory when you require us to provide you with a Service. If you fail to provide us with such compulsory Personal Data, we will not be able to provide or continue to provide the Services to you.

3.2 If you use our Services and Site, the types of Personal Data we collect may include, but is not limited to:

a) your name, gender, age, telephone number, home address, email address, credit card information, bank account number;

b) the results of all HPV DNA tests performed by ROSE if you are undergoing those tests;

c) medical and health related information, including clinical information which may be provided by you or a healthcare service provider or a healthcare professional ordering an HPV DNA test. This may include a description of current or previous symptoms, health status, family history, health conditions, treatments and other test results; and

d) other information relating to screening and immunisation which is specific to our projects and services at the time we offer the services.

3.3 The type of information that ROSE collects and the way in which it may use and disclose that information varies according to the Services, activities and programmes ROSE provides or undertakes in relation to you, as an individual. Some of the purposes for which your Personal Data may be used are set out in sections below, including the use of Personal Data for direct marketing.

4. Purpose and Use of Personal Data

4.1 You agree that all the Personal Data provided by you to us may be collected and processed by us for the following purposes and for other purposes as may be agreed between you and us or required by law from time to time (collectively, “Purposes”):

a) to perform and provide our Services (including ancillary Services) to you particularly, to perform and to assist in reporting an HPV DNA test that has been ordered, and making recommendations for the management of test results (follow up) to healthcare service providers, healthcare professionals and employers;

b) to perform our other activities and programmes;

c) to process any payment instructions, direct debit facilities and/or credit facilities requested by you or to liaise with a third-party payer;

d) for research, to improve our knowledge, particularly of how to better prevent cancer of the cervix in women. However, no research publication will ever identify an individual without prior written consent from that person. Where small numbers of patient data are used for research purposes, data suppression is routinely applied to prevent inadvertent identification of an individual;

e) for purposes of enforcing a judgement/ court order, assisting or preventing or detecting crime, and/or to meet our other contractual and regulatory obligations;

f) to communicate and to manage our relationship with you, your healthcare service providers, healthcare professionals, clients, employers, employees, employment applicants, service providers, advisors as well as regulators;

g) to provide you with communications with regard to health information, details of healthcare services and its benefits, to support projects and initiatives, and fulfil contractual obligations;

h) to conduct activities related to quality assurance and improvement processes, accreditation and audits and managing legal and other claims;

i) to help investigations into complaints, to respond to complaints and suspected suspicious transactions as well as wrongful disclosure of Personal Data;

j) the normal management, operation and maintenance of the performance of the services including marketing and research (like aggregated behavioural analysis) for service improvements and designing new, or improving existing, services provided by us, and/or our subsidiaries to you; and

k) all other permissible purposes required to operate, maintain and better manage our business and your relationship with us, which we notify you of at the time of obtaining your consent.

4.2 We would also like to use your Personal Data for direct marketing/cross-selling to you (whether by post, email, phone, text messages, social media, telecommunication channels or the likes) in relation to:

a) our offerings and promotions;

b) services, products, discounts and promotions offered by our counterparties, healthcare service providers and/or healthcare professionals; and

c) other offerings and promotions from the third-party merchants that we cooperate with to provide benefits to our customers.
If you do not consent to us processing your Personal Data for direct marketing/cross-selling of other related services, please notify us at the contact details below.

5. Security and Retention

We take all commercially reasonable steps to secure the Personal Data provided to us and we will not retain your Personal Data longer than is necessary for the fulfilment of the purpose for which it is processed and in accordance with relevant laws and requirement to store or retain a copy for documentary evidence, laboratory records and analysis. Where possible, we destroy or permanently delete all Personal Data which is no longer required for the purpose for which it was processed.

6. When is Your Personal Data Disclosed?

6.1 ROSE may disclose your Personal Data for the purposes set out in the previous section. We may also disclose your Personal Data with the following entities or individuals, whether they are located overseas or in Malaysia:

a) to anyone that you have authorised or requested the disclosure to be made including your employer, your insurance broker or insurer, your healthcare service provider, or healthcare professional who ordered the HPV DNA test;

b) at your request or your healthcare service provider’s or healthcare professional’s request, to another healthcare professional;

c) at your healthcare service provider’s or healthcare professional’s request, to another laboratory when a further opinion is being sought on a pathology specimen or for an HPV DNA test that has been ordered but which is not performed at ROSE;

d) to your representative (e.g., a sibling, a spouse, a relative, any next of kin, an authorised representative or lawyer);

e) to our legal advisors and insurers;

f) to the extent required by law or pursuant to any court order. This may include information provided to a Coroner or a Court under a subpoena;

g) to our employees, volunteers, agents, technology/service providers, contractors, advisors, auditors, or our donors, benefactors, business partners and counter parties in connection with our business and discharge/performance of any services related thereto including to process payment instructions; or to relevant authorities or regulators as required by law for purposes of enforcing a judgement/court order, assisting or preventing or detecting crime, and/or to meet our other contractual and regulatory obligations; or to healthcare service providers or healthcare professionals for medical purposes and/or to offer you follow-up services or referral to address your health concerns. However, we would require the aforesaid to comply with confidentiality obligations, relevant privacy laws and this Privacy Policy; and

h) to any party nominated or appointed by us, either solely or jointly with other service providers, for purpose of establishing and maintaining our database and/or providing us with data centres and/or servers located within or outside Malaysia for our business purposes or otherwise.

You hereby acknowledge and consent that the disclosures and transfers, and permit us to disclose and transfer your Personal Data to such third party and its advisors/representatives and/or any other person reasonably requiring the same in order for us to operate and maintain our business or carry out the activities set out in the Purposes.

6.2 ROSE may also disclose your information in other circumstances and to other persons if you have given your express or implied consent, or if we are permitted or required to do so by law (including under the Act, the Private Health Care Facilities and Services Act 1998 and Prevention and Control of Infectious Diseases Act 1988).

7. Your Rights to Your Personal Data

7.1 You have the right to:

a) check whether we hold any of your Personal Data;

b) access your Personal Data held by us;

c) ask us to correct or update any Personal Data which is inaccurate;

d) ascertain our policies and practices (from time to time) in relation to Personal Data;

e) opt out from receiving direct marketing materials from us at any time; and

f) subject to this paragraph 7, limit our processing of your Personal Data.

Any requests in relation to the above shall be in writing or any enquiries and addressed to:
Data Protection Officer
ROSE Foundation
Phone: 019-2327431
1-7, Kompleks Inkubator dan Inovasi (UMX)
Universiti Malaya, Lingkungan Budi
50603 Kuala Lumpur, Malaysia.
7.2 In accordance with the Act, we have the right to charge you a reasonable fee for the processing of any of your Personal Data access request or a data correction request under this clause 7.

7.3 Nothing in this Privacy Policy shall limit your rights under the Act.

7.4 If you have any concerns or complaints about your privacy or the manner in which ROSE has handled your Personal Data, please contact our Data Protection Officer at the contact details above. We will endeavour to resolve your complaint promptly and will provide a written response to you.

8. Accuracy of your Personal Data

You are responsible for ensuring that the information you provide us is accurate, complete, not misleading and kept up to date.

9. Transfer of Personal Data to places outside Malaysia

We may transfer your Personal Data to places outside of Malaysia and you hereby give your consent to the transfer.

10. Conflict

In the event of any inconsistency between the English version and the Bahasa Malaysia version of this Privacy Policy, the English version shall prevail over the Bahasa Malaysia version.
Dated: 10 February 2022
[end of page]